Malware Analysis Report

2025-01-19 05:42

Sample ID 210820-1kagr6xah2
Target 354257dc6e4704844cb01aa811ce141358cd49e7c523f717bb43b6a3a099fb89.apk
SHA256 354257dc6e4704844cb01aa811ce141358cd49e7c523f717bb43b6a3a099fb89
Tags
flubot banker infostealer obfuscation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

354257dc6e4704844cb01aa811ce141358cd49e7c523f717bb43b6a3a099fb89

Threat Level: Known bad

The file 354257dc6e4704844cb01aa811ce141358cd49e7c523f717bb43b6a3a099fb89.apk was found to be: Known bad.

Malicious Activity Summary

flubot banker infostealer obfuscation trojan

FluBot

FluBot Payload

Requests dangerous framework permissions

Loads dropped Dex/Jar

Requests enabling of the accessibility settings.

Uses reflection

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2021-08-20 07:03

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-08-20 07:03

Reported

2021-08-20 07:06

Platform

android-x86-arm

Max time kernel

1650578s

Command Line

com.autonavi.minimap

Signatures

FluBot

banker trojan infostealer flubot

FluBot Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.autonavi.minimap/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A
N/A /data/user/0/com.autonavi.minimap/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Uses reflection

obfuscation
Description Indicator Process Target
Invokes method android.view.ViewGroup.makeOptionalFitsSystemWindows N/A N/A N/A
Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE N/A N/A N/A

Processes

com.autonavi.minimap

com.autonavi.minimap

/system/bin/dex2oat

Network

N/A

Files

/data/user/0/com.autonavi.minimap/code_cache/secondary-dexes/MultiDex.lock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.autonavi.minimap/code_cache/secondary-dexes/tmp-base.apk.classes1989932189699479524.zip

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.autonavi.minimap/code_cache/secondary-dexes/base.apk.classes1.zip.x86.flock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.autonavi.minimap/code_cache/secondary-dexes/oat/x86/base.apk.classes1.vdex

MD5 80f03df353f388b1ddde047663c1539a
SHA1 dc426d9bb50cac355b263b52b092c346c2588ecc
SHA256 7fd14ee2a2db0a442dca6ef6de1b5a435f1dee81d66caecf0d1e046200b4f3d9
SHA512 eb23ac99daa35f2fa972f24d3305c1752e002adb158a24283652cccf8573a631d170c87c9916aab37dcb1e25ef84290af0fe1cb1ba3a79c5a192d1b11c853c9d

/data/user/0/com.autonavi.minimap/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex

MD5 d1dd1b5c8dca635097244c0e3d5c9cb4
SHA1 1750be435635d7f6ad77f012377f948a6dd344c0
SHA256 4ea14f60b9936b097d809d8be40e8a1ee4dcf65ffacd2b589da740fb356cc465
SHA512 072acbb3388c857f26e8169233fcd1f8305fd9ab9dd09b7619d4a24333eb195e508df2e600e00e241aaaedb0dd4b371acdc97414c30b7fde7ce1951bbbd2ccc7

/data/user/0/com.autonavi.minimap/shared_prefs/multidex.version.xml

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.autonavi.minimap/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.autonavi.minimap/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 ece3f5935e289cc2a6cbd395ee2480b1
SHA1 d9a6edeb184c42b54583a9eb782443e2e0445e47
SHA256 39ed3c48555285eaa5adfb047d6bc2b267c2238b4eac710a373ce0dc5f25a6ee
SHA512 d85103c36c9b0146fd1b800196595456e9435a6e1f19b5c8a53bf56a751f40a3ffbe839331df6e5b5189108c4e2076057f07bd6587f71a9117504ab885d42e5a

/data/user/0/com.autonavi.minimap/shared_prefs/Voicemail.xml

MD5 15cc8c89c0a0624539f64ee0943c102b
SHA1 98cdc25ad962deff252c471efee819eb869ce929
SHA256 1208c35bc0305c890c811014c66bee5142f74e4bb545f43d12418d621ff4d6a5
SHA512 cfa29fc4651553691f423de49d5ebf6c5d77e31ec43dfc4a6163d0ba260bc97b965375e60394c46dd14b574ce3d0808c795128c1445559b80449f84417fb1af7